PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-09-16 07:44:42 -04:00
Code

Update Chrony configurations

Browse Source
This commit is contained in:
Tommy 2023-08-08 21:08:20 -07:00 committed by GitHub
parent 8bfc2ba1c8
commit 90dce6a30b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
content/posts/linux/Desktop Linux Hardening.md
View File

@ -388,6 +388,13 @@ If decide on using NTS with chronyd, consider using multiple, independent time p
GrapheneOS uses a [quite nice chrony configuration](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf) for their infrastructure. I recommend that you replicate their `chrony.conf` on your system.
You should also enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`:
```
# Command-line options for chronyd
OPTIONS="-F 1"
```
![Verifying NTS configuration](/images/nts.png)
### Pluggable Authentication Modules (PAM)

12
content/posts/macos/Secure Time Synchronization on macOS.md
View File

@ -103,6 +103,9 @@ server ptbtime1.ptb.de iburst nts
minsources 2
authselectmode require
# EF
dscp 46
driftfile /var/lib/chrony/drift
ntsdumpdir /var/lib/chrony
@ -117,7 +120,14 @@ cmdport 0
allow 10.0.2.2/32
```
If you are confused about what this configuration is doing, here are some quick explanations:
Optionally, you can enable the secommp filter for chronyd in `/etc/sysconfig/chronyd`:
```
# Command-line options for chronyd
OPTIONS="-F 1"
```
If you are confused about what these configurations are doing, here are some quick explanations:
* We get our time from 4 different sources: